Jump to content

Mysqli_Real_Escape_String - Problem

mds1256

By mds1256
in PHP Coding Help

 Share

Recommended Posts

mds1256 Advanced Member

mds1256

Posted
Posted

Hi

 

When post'ing from a form on a signin page I am allowing the user to type in their username and password.

 

If the details cannot be found in the database then I send an error message to the form but populate the input box for username with the value that was submitted.

 

Now the problem is that I run this value through mysqli_real_escape_string when it is posted so if the sql query finds no rows then it displays the signin form again but with the value of $username (which has been mysqli_real_escape_string escaped).

 

So when the value is displayed it puts a slash into the username before the character that needs escaping (as I have put in a single quote to test).

 

What would be the best way to echo out the value of $username without the slash, also do I need to use htmlspecialchars when echoing the $username value back into the input field?

 

Thanks

Link to comment
Share on other sites
Christian F. Member

Christian F.

Posted
Posted (edited)

You should do this by wrapping mysql_real_escape_string () around the variable when you add the value to the SQL string, and not overwriting the original value. By using sprintf () this can be done in a more readable manner than just adding the function calls in the string itself.

$query = "INSERT INTO table (field_1, field_2, field_3) VALUES ('%s', %d, '%s')";
$query = sprintf ($query, mysql_real_escape_string ($string_1), $number, mysql_real_escape_string ($string_2));

 

Though, preferably you should move over to MySQLI or PDO, and use prepared statements. (You can read more about them in the PHP manual.)

Edited by Christian F.
Link to comment
Share on other sites
mds1256 Advanced Member

mds1256

Posted
  • Author
Posted

You should do this by wrapping mysql_real_escape_string () around the variable when you add the value to the SQL string, and not overwriting the original value. By using sprintf () this can be done in a more readable manner than just adding the function calls in the string itself.

$query = "INSERT INTO table (field_1, field_2, field_3) VALUES ('%s', %d, '%s')";
$query = sprintf ($query, mysql_real_escape_string ($string_1), $number, mysql_real_escape_string ($string_2));

 

Though, preferably you should move over to MySQLI or PDO, and use prepared statements. (You can read more about them in the PHP manual.)

 

I see, will look into prepared statements :) Thank you!

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.